On Thu, Feb 23, 2006 at 12:17:58AM +0100, Bruno wrote:
> On Wednesday 22 February 2006 23:44, Jon Scottorn wrote:
> > Is it recommended to not use mount within a vserver, should I just mount
> > it from the host side or does it not really matter if I do mount it
> > within the vserver?
> You should only add mount capabilities to the guest if you trust what's
> running inside.
> If you can it's better to mount your NFS mountpoints from the host
> (from either host or guest network context, depending on your choice)
I agree here, but the main reason is that NFS mounts
have a potential for DoS (think timeout)
> This is more of a personal decision on what permissions you give to
> your guest's root. But if mounting is possible, you can't prevent the
> guest from accessing any devices (e.g. by mounting a pre-made /dev to
> work around missing mkdev capability).
that's not that easy, as the secure_mount adds nodev
by default
HTH,
Herbert
> best,
> Bruno
>
> > Thanks again.
> >
> > On Wed, 2006-02-22 at 23:15 +0100, Herbert Poetzl wrote:
> > > On Wed, Feb 22, 2006 at 03:08:46PM -0700, Jon Scottorn wrote:
> > > > Hi All,
> > > >
> > > > I am wondering if the mount command can be run within a vserver?
> > > > I am trying to mount a nfs mount within a vserver and I get permission
> > > > denied. I can mount the nfs share from another machine that is not a
> > > > vserver and it works.
> > >
> > > with sufficient capabilities you can do that
> > >
> > > http://linux-vserver.org/Caps+and+Flags
> > >
> > > check out binary_mount and secure_mount capability
> > >
> > > HTH,
> > > Herbert
> > >
> > > > Thanks in advance,
> > > >
> > > > Jon Scottorn
> > > > Systems Administrator
> > > > The Possibility Forge, Inc.
> > > > http://www.possibilityforge.com
> > > > 435.635.0591 x.1004
> > > >
> > > > _______________________________________________
> > > > Vserver mailing list
> > > > Vserver@list.linux-vserver.org
> > > > http://list.linux-vserver.org/mailman/listinfo/vserver
> >
> > Jon Scottorn
> > Systems Administrator
> > The Possibility Forge, Inc.
> > http://www.possibilityforge.com
> > 435.635.0591 x.1004
> _______________________________________________
> Vserver mailing list
> Vserver@list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Received on Thu Feb 23 06:18:05 2006